Vulnerability Reportportainer/portainer-ce:latest

Name: portainer/portainer-ce:2.39.3 Security Vulnerability Report
Creator: BaseImage
Keywords: portainer/portainer-ce:2.39.3, Docker security, vulnerability scan, CVE, container security, SBOM

portainer/portainer-ce:latestportainer/portainer-ce:ltsportainer/portainer-ce:2.39.3

DIGESTsha256:d27f76194b719bfe2a34779d51798a7adf02510cfba69ebcb538267f75aa4f47

Executive Summary

DANGEROUS

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. Exploiting the most severe vulnerability, CVE-2026-45570, could lead to remote code execution on the Portainer host and potential full system compromise. Furthermore, multiple high-context denial-of-service vulnerabilities, including CVE-2026-33814, could render the Portainer web UI unavailable. The critical RCE (CVE-2026-45570) specifically applies when Portainer interacts with Git repositories via SSH transport using specially crafted paths.

Threat Score

75/100

DANGEROUS

A critical remote code execution vulnerability (CVE-2026-45570) with a severity of 9.6 is exposed on the image's surface.
This vulnerability is highly contextual, allowing for arbitrary command execution on the Portainer host if malicious Git repository paths are processed via SSH transport.
Multiple other high-context vulnerabilities, including CVE-2026-33814 and CVE-2026-39820 (severity 6.38 each), expose the image to denial-of-service attacks.
Despite being from a VERIFIED publisher, the image carries a high threat score of 75 due to these critical findings.

Reputation

TRUSTED

portainer

VERIFIED

Verified Publisher (Trusted Vendor)
Pinned by digest (Immutable)

BaseImage/

portainer/portainer-ce:latest

Hardened

Grade

A+

Vulns

Verified & secured for production

Vulnerabilities

Vulnerability Log

36 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-45570	CRITICAL9.6	github.com/go-git/go-git/v5 v5.19.0 fixed in 5.19.1	—	Directly ExposedContext importance: HIGH
CVE-2026-33814	MEDIUM6.38	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-39820	MEDIUM6.38	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-33814	MEDIUM6.38	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-39820	MEDIUM6.38	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-33997	MEDIUM5.5	github.com/docker/docker v28.5.1+incompatible fixed in 29.3.1	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-34040	MEDIUM5.3	github.com/docker/docker v28.5.1+incompatible fixed in 29.3.1	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33811	MEDIUM5.1	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33811	MEDIUM5.1	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-39826	LOW3.67	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-39826	LOW3.67	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33747	LOW3	github.com/moby/buildkit v0.25.1 fixed in 0.28.1	<0.1% Theoretical Threat	Post-Exploit
CVE-2025-15558	LOW2.45	github.com/docker/cli v28.5.1+incompatible fixed in 29.2.0	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-39836	LOW2.29	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-33748	LOW2.29	github.com/moby/buildkit v0.25.1 fixed in 0.28.1	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-39836	LOW2.29	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-39823	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	—	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	—	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	—	Not Applicable
CVE-2026-46680	NONE0	github.com/containerd/containerd v1.7.30 fixed in 1.7.32	—	Not Applicable
CVE-2026-46680	NONE0	github.com/containerd/containerd/v2 v2.1.5 fixed in 2.0.9, 2.2.4, 2.3.1	—	Not Applicable
CVE-2026-41567	NONE0	github.com/docker/docker v28.5.1+incompatible No fix yet	—	Not Applicable
CVE-2026-42306	NONE0	github.com/docker/docker v28.5.1+incompatible No fix yet	—	Not Applicable
CVE-2026-41568	NONE0	github.com/docker/docker v28.5.1+incompatible No fix yet	—	Not Applicable
CVE-2026-45571	NONE0	github.com/go-git/go-git/v5 v5.19.0 fixed in 5.19.1	—	Not Applicable
GHSA-w5pp-99ch-qj29	NONE0	github.com/go-git/go-git/v5 v5.19.0 fixed in 5.19.1	—	Not Applicable
CVE-2025-47909	NONE0	github.com/gorilla/csrf v1.7.3 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.25.9 fixed in 1.25.11, 1.26.4	—	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.25.9 fixed in 1.25.11, 1.26.4	—	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.25.9 fixed in 1.25.11, 1.26.4	—	Not Applicable